Category Archives: Data Security

NY Issues Data Breach Report

New York Attorney General, Eric. T. Schneiderman, stated in a recent press release that 9.2 million New Yorkers had their personal data compromised in 2017. Such data compromises were mainly due to large scale data hacks, such as the Equifax and Game Stop hacks. According to the NYAG office’s report, 1,583 data breaches were reported … Continue Reading

And Then There Was None: Alabama Becomes 50th State With Breach Notice Law

By Amber Thomson and Liisa Thomas on April 11, 2018 Posted in Data Breach, Data Security, Privacy

Alabama is the final US state to enact data breach notification legislation. The new law takes effect on June 1, 2018 and applies to electronic “sensitive” data. This includes full Social Security and government-issued identification numbers, account and payment card numbers (in combination with security or access codes or PIN numbers), health information, and a … Continue Reading

Oregon Updates Its Data Breach Notification Law

By Amber Thomson, Liisa Thomas and Kari Rollins on March 29, 2018 Posted in Data Breach, Data Security

Oregon’s governor recently passed into law S 1551. The bill amends the state’s existing breach notice law. The revision goes into effect in June. It adds to the definition of personal information that which would permit access to a financial account. It now also places the duty to notify not only on entities that own … Continue Reading

And Then There Was One: South Dakota Passes Breach Notice Law, Alabama May Not Be Far Behind

By Liisa Thomas and Amber Thomson on March 28, 2018 Posted in Data Breach, Data Security

South Dakota recently became the 49th US state to enact data breach notification legislation. The new law takes effect July 1, 2018 and mirrors other states’ breach notice laws. Information that if breached, gives rise to a duty to notify is defined to include Social Security and government-issued identification numbers, account and payment card numbers … Continue Reading

Power Company Slammed With Hefty $2.7M Fine After Data Breach

By Amber Thomson on March 14, 2018 Posted in Breach, Data Security

An unnamed power company was hit with a $2.7 million fine after it was discovered that protected information associated with the company’s critical cyber assets was posted online. The data was exposed on the internet for 70 days and included IP addresses and server host names. A white hat security researcher alerted the company to … Continue Reading

Crypto-Crime: The SEC and DOJ Go After BitFunder and Its BitFounder

By Jonathan E. Meyer on March 5, 2018 Posted in Consumer Protection, Data Security

Taking further steps into the world of cryptocurrency, two entities of the federal government recently took legal action against BitFunder, a now-defunct Bitcoin exchange, and its founder, Jon Montroll. The Securities and Exchange Commission filed civil charges against BitFunder and Montroll, and the U.S. Attorney’s Office in Manhattan brought criminal charges of perjury and obstruction … Continue Reading

Privacy, Data Security, and Your Board: Day Five

By Kari Rollins and Liisa Thomas on March 2, 2018 Posted in Consumer Privacy, Cybersecurity, Data Breach, Data Security, Employee Privacy, Privacy

In our final installment on privacy, cyber security, and your board, we look at privacy and cyber issues in M&A. So you are thinking about acquiring a new entity? Divesting of current one? Due diligence will need to be conducted to best understand and evaluate privacy and data security issues and risks. Your board will … Continue Reading

Privacy, Data Security, and Your Board: Day Three

By Kari Rollins and Liisa Thomas on February 28, 2018 Posted in Consumer Privacy, Cybersecurity, Data Breach, Data Security, Employee Privacy, Privacy

In our ongoing conversation about privacy, data security and your board, we turn next to cyber insurance and vendor management. Boards, when executing their duty of care, should keep in mind that while there may be some coverage for data incidents under a company’s CGL and D&O policies, there may be significant gaps in coverage … Continue Reading

Privacy, Data Security, and Your Board: Day Two

By Kari Rollins and Liisa Thomas on February 27, 2018 Posted in Cybersecurity, Data Security, Employee Privacy, Privacy

In our continuing series about privacy, data security and your board, we next turn to how to best educate a board. Yesterday we mentioned about how board members have a duty of care. Part of that duty includes effectively overseeing matters relating to privacy and data security (or the often-used buzzword “cybersecurity”). How can board … Continue Reading

SEC Takes Baby Steps on Cyber, but Signals Greater Vigilance

By Jonathan E. Meyer on February 27, 2018 Posted in Consumer Protection, Cybersecurity, Data Security, Privacy and Data Security

On February 21, the Securities and Exchange Commission issued new Interpretive Guidance regarding disclosures of cybersecurity-related information by publicly traded companies. This guidance comes in the context of public pressure on the SEC to update its 2011 Division of Corporation Finance guidance regarding cybersecurity risks and incidents. According to SEC Chairman Jay Clayton’s statement, this … Continue Reading

Justice Department Creates Cyber-Digital Task Force

By Jonathan E. Meyer and Townsend Bourne on February 26, 2018 Posted in Cybersecurity, Data Security, Government Privacy

On February 20, the Department of Justice announced that Attorney General Sessions had created a new, cross-departmental Cyber-Digital Task Force. He directed the Task Force to advise him on the most effective ways for DOJ to confront cyber threats and keep Americans safe. Specifically, the Task Force is charged with canvassing the work the Department … Continue Reading

There’s a Form for That? Breach Notices and State Reporting Portals

By Amber Thomson and Liisa Thomas on February 21, 2018 Posted in Data Breach, Data Security

The recent launch by Massachusetts Attorney General of an online data breach reporting portal is a reminder that many states have such online reporting mechanisms. In Massachusetts, companies that have suffered a data breach and are required to provide notice to the MA AG can either continue to submit a hard copy notice to MA, … Continue Reading

HHS-OCR Closes 2017 with Six Figure Settlement in PHI Data Breach Impacting Over 2 Million Individuals

By Sheppard Mullin on January 24, 2018 Posted in Breach, Data Security, Healthcare Privacy

At the end of last year the Department of Health and Human Services – Office for Civil Rights announced its resolution agreement and settlement with 21st Century Oncology for $2.3 million. The company, which billed itself as the largest operator of cancer treatment centers in the world, filed for bankruptcy in May of 2017. OCR’s … Continue Reading

2018: The Year of the FTC and Informational Injuries?

By Liisa Thomas and Snehal Desai on January 17, 2018 Posted in Consumer Privacy, Data Security, Privacy

What constitutes actionable consumer injuries post-breach or data misuse is a hotly contested topic. As we reported in our Advertising blog late last year the FTC hosted a workshop on December 12th to look at the issue. A large focus during the workshop was what constitutes harm to consumers. While there is a school of thought that … Continue Reading

The Encryption Battle Will Continue in 2018

By Jonathan E. Meyer on January 16, 2018 Posted in Cybersecurity, Data Security, Privacy, Privacy and Data Security

While they may disagree in other areas, one thing that former FBI Director James Comey, current Deputy Attorney General Rod Rosenstein, and current FBI Director Christopher Wray all have in common is their distaste for strong encryption that prevents the government from accessing information. In 2016, Comey and the Justice Department went to court to … Continue Reading

2018 Likely a Year of Rising Government Standards for Securing Information

By Jonathan E. Meyer on January 10, 2018 Posted in Data Security, Government Privacy

For companies that do business with the government, 2017 was a year of transition, as many began to follow the NIST Cybersecurity Framework, worked to accomplish Federal Risk and Authorization Management Program (FedRAMP) certification, or rushed to rid their systems of products from Kaspersky Lab. Perhaps most significant was the rush of Pentagon contractors to come … Continue Reading

ESPN Knocks VPPA Suit Out Of The Park

By Sheppard Mullin on January 9, 2018 Posted in Consumer Privacy, Consumer Protection, Data Security

The Ninth Circuit recently joined the Third Circuit in defining PII under the VPPA as “information that would readily permit an ordinary person to identify a specific individual’s video-watching behavior.” In the case, Eichenberger v. ESPN, Inc., the court found that because an ordinary person could not have identified the plaintiff from the information ESPN … Continue Reading

2017 Saw Ransomware on the Rise – 2018 Will See Even More

By Jonathan E. Meyer on January 8, 2018 Posted in Cybersecurity, Data Security

It’s fair to say that ransomware exploded in 2017. After inflicting an estimated $350 million in damage in 2015 and $850 million in 2016, at least one source estimates that it hit $5 billion last year. Most prominent among these were WannaCry, which shut down computers in 80 organizations affiliated with Britain’s National Health Service … Continue Reading

How Will Breach Laws Develop in 2018?

By Liisa Thomas on January 3, 2018 Posted in Cybersecurity, Data Security, Privacy and Data Security

You hopefully already know that Maryland’s amendment to its data breach notification law went into effect this week (on January 1, 2018). We anticipate that other states may follow one of Maryland’s modifications, namely its expansion of the definition of personal information. Under the amended law “personal information” now includes an expanded definition of biometric information. Biometric … Continue Reading

Cybersecurity in the First Year of the Trump Administration

By Jonathan E. Meyer on December 27, 2017 Posted in Cybersecurity, Data Security, Privacy and Data Security

As might be expected, the first year of the Trump Administration saw a lot of activity on the cybersecurity front. In May, the Administration issued its “Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure.” As we discussed in an analysis we issued shortly thereafter, the Order brought more accountability to agencies for monitoring their … Continue Reading

NIST’s Highly-Anticipated Security Requirements Draft Impacts Government Contractors’ Treatment of CUI

By Townsend Bourne on December 18, 2017 Posted in Cybersecurity, Data Security, Privacy

Government contractors have until December 31 to implement security requirements from NIST Special Publication (SP) 800-171 (here) as mandated by the Defense Federal Acquisition Regulation Supplement (DFARS). The requirements include provisions for protecting Controlled Unclassified Information (CUI) (government sensitive but unclassified information; see the CUI Registry here) in nonfederal systems and compliance is expected soon to … Continue Reading

Lessons Learned from Cyber Awareness Month – Part Two

By Jonathan E. Meyer on November 16, 2017 Posted in Consumer Protection, Cybersecurity, Data Security, Privacy, Privacy and Data Security

Following up on our last post about Cyber Awareness, we now focus on cybersecurity in the workplace. All organizations – large and small, for-profit and non-profit – need to be vigilant about cybersecurity. According to one analysis, 918 data breaches led to 1.9 billion data records being compromised worldwide in the first half of 2017, or … Continue Reading

CFPB Provides Guidance on Consumer Data Protection

By Liisa Thomas and Jonathan E. Meyer on November 14, 2017 Posted in Consumer Protection, Data Security

The Consumer Financial Protection Bureau (CFPB) recently released a set of Consumer Protection Principles aimed at the Fintech field. The Principles describe obligations when sharing or aggregating consumer financial information. The CFPB regulates and enforces consumer financial laws, and issued this release as part of its review of the Fintech industry. These Principles follow a … Continue Reading

FACTA Suit Dismissed for Lack of Harm

By Shanna Pearce on October 10, 2017 Posted in Consumer Protection, Data Security

A Florida court recently broke with other district courts in its circuit when it concluded that a plaintiff lacks standing to sue a defendant for mere technical violation of the Fair and Accurate Credit Transactions Act (FACTA) unless the plaintiff has been harmed. FACTA prohibits printing more than the last five digits of a credit … Continue Reading

By scrolling this page, clicking a link or continuing to browse our website, you consent to our use of cookies as described in our Cookie and Advertising Policy. If you do not wish to accept cookies from our website, or would like to stop cookies being stored on your device in the future, you can find out more and adjust your preferences here.

Agree